#1 Global Leader in Data Protection & Ransomware Recovery

How to Change Account Used by Linux Hardened Repository

KB ID: 4348
Product: Veeam Backup & Replication
Published: 2022-11-03
Last Modified: 2023-03-17
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Prepare for Veeam Backup & Replication v12

Starting in Veeam Backup & Replication 12, the Linux Server associated with a Hardened Repository using Immutability may only be added using single-use credentials.

During the upgrade to Veeam Backup & Replication 12, any Linux server associated with a Hardened Repository with Immutability will have its credentials switched to single-use. As it is impossible to use single-use credentials with the root account, any Linux server associated with a Hardened Repository with Immutability using a root account will cause the upgrade to v12 to be blocked until a non-root account is assigned.

All customers using Hardened Repositories with Immutability are encouraged to review their configuration and ensure that any Linux Server associated with a Hardened Repository is configured to use a non-root account.

Purpose

This article documents the procedure for changing which account is used by Veeam Backup & Replication to communicate with underlying Linux Server used by a Hardened Linux Repository, including reassigning ownership of existing backup files.

Challenge

When attempting to upgrade to Veeam Backup & Replication 12, the upgrade Configuration Check displays a Compatibility issue: "Insecure hardened repository configuration." The mouse-over tooltip for this issue states:

Please update the account used by the following Linux servers
according to the Veeam Support Knowledge Base article KB4348:
<Linux Server Name>
Config Check Error

Solution

In Veeam Backup & Replication, a Hardened Repository refers to the use of single-use credentials or immutability, or a combination of both.

In Veeam Backup & Replication 11, when configuring a Hardened Repository with Immutability, it is recommended to use single-use credentials but not strictly required. Starting in Veeam Backup & Replication 12, single-use credentials will become a requirement for Hardened Repository Immutability.

To allow the upgrade to Veeam Backup & Replication 12 to complete, ensure that the account assigned to the underlying Linux server associated with the Hardened Repository with Immutability is either:

 

Change Account

  1. Edit the Linux Server
  2. On the SSH Connection page of the Wizard, Click Add and select "Single-use credentials for hardened repository"
  3. Click Next through the pages of the Wizard, and finally, Click Finish to save the changes.

 

After changing the account used with the Linux server,  the Veeam Data Movers will lose access to previously written restore points. Use the script below to reassign ownership of the backup files to the new non-root account to ensure continued access to the existing restore points.

 

Reassigning Ownership of Restore Points

When changing the account used by Veeam Backup & Replication to connect to the Linux server, all files and folders within the repository path must have their ownership changed using the chown command. However, the files marked as immutable must first have their immutability status removed using chattr -i. Once the ownership has been changed, the immutability flag must be reapplied to those files where it was removed using chattr +i. It is critical that only the files that were immutable before the ownership change have the immutability flag reapplied.

Below is an example bash script that performs these steps and tracks which files were immutable before the ownership change. This script is an example and may not function with some distributions of Linux. It should be run as root (or using sudo) to reassign ownership of the backup files in the immutable repository path.

Script Syntax: ./change_backup_owner.sh <repository_path> <username> <groupname>

#!/bin/bash

auxiliaryfile="/tmp/veeamstoragefilenames_"$(date '+%Y-%m-%d-%H-%M')

find $1 -name "*.vbk" -o -name "*.vib" -type f > $auxiliaryfile
while read -r line;
do
is_immutable=false
STR=$(eval lsattr -Rl ${line// /\\ })
SUB=' Immutable'
SUB2=',Immutable'
if [[ "$STR" == *"$SUB"* ]]; then
is_immutable=true
elif [[ "$STR" == *"$SUB2"* ]]; then
is_immutable=true
fi
if [[ $is_immutable == 'true' ]]; then
eval chattr -i "${line// /\\ }" ;
fi
eval chown $2:$3 "${line// /\\ }" ;
if [[ $is_immutable == 'true' ]]; then
eval chattr +i "${line// /\\ }" ;
fi
done < $auxiliaryfile

find $1 -name "*.vbm" -type f > $auxiliaryfile
while read -r line;
do
eval chown $2:$3 "${line// /\\ }" ;
done < $auxiliaryfile

chown -R $2:$3 $1 2>/dev/null

rm -rf $auxiliaryfile
Example:
Change Ownership
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.